Democratizing the creep factor: Anyone can play NSA, “Ocean’s 11″ and cyberstalker

I spent four day last week at Black Hat and DEF CON watching presentations on how quite literally everything with a connection — and some things without one — can be hacked. We’re not talking about just letting someone into your hard drive, either, but into your home. Alarms, door locks, TVs, surveillance cameras, medical devices, toys, cars, keys, toilets — they all can be manipulated in the name stealing stuff or perhaps just good, old-fashioned invasion of privacy.

Corporations, government agencies and people of great import should be scared. Average citizens? Well, we should be a little freaked out, too.

Scary news first: public spaces are not your friends

Some of the Black Hat and DEF CON presentations were truly off-putting, particularly those about placing devices in public places to harvest network traffic or personal data about everyone connected to a network. I didn’t see the talk about using femtocells to steal packets from CDMA phones, but the session description did the trick. Here’s the first paragraph:

“I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don’t even know you’re connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box… for free.”

Same with CreepyDOL, a small Raspberry Pi-powered device and software package that grabs all the personal data computers automatically away when they connect to a WiFi network. It comes complete with visualization software for mining the data easier. (It got a little press elsewhere, including from the New York Times.)

Just plug in and start harvesting data, for about $50. Source: Brendan O’Connor

And those are just the new, shiny exploits. It’s already common knowledge that you shouldn’t walk around a place like DEF CON with your Bluetooth turned on. Two years ago at Black Hat, Carnegie Mellon researcher Alessandro Acquisti explained how much personal information someone could glean from snapping a smartphone photo and having a good idea where you live.

Smart TVs probably aren’t, either

“In some ways,” Adam Grattafiori of iSEC Partners said during a Black Hat talk, “[a smart TV is] really just a smartphone with a 50-inch screen.” Then he and partner Josh Yavor proceeded to show just exactly how they’re different — including how easy it is to get access to that built-in webcam that often has a wide view of an entire room.

First, they exploited holes in the TV’s firmware (they focused on Samsung) but that’s not too useful unless someone can actually access the TV. Thankfully for hackers, smart TVs are full of apps that are full of holes.

“Social media applications really are just remote content injection,” Yavor said. He and Grattafiori wanted to turn them into “remote command injection” so they could run malicious code. They showed how they did this in Skype by injecting malicious JavaScript into a Mood Message, which actually runs as code. Whenever that message displayed on someone else’s TV, the code would execute.

Grattafiori and Yavor also demonstrated how they were able to attack the TV’s browser and inject code via an alert message. Once they have credentials and access to an app’s permissions and files, it’s easy enough to start digging around for personal information or perhaps getting creepy with the video camera. I can almost sense the sextortionists out there drooling over what they might catch on video.

For some reason, though, hacking that affects our physical firewalls and not just our digital ones seems uniquely disturbing — and Black Hat and DEF CON provided plenty of examples of how that might work.

Keys, like for your front door

Two MIT students demonstrated how to fabricate the supposedly irreplicable Schlage Primus key for just a few dollars using a 1,200-dpi scanned image, some CAD software and a 3-D printing service. If you can’t get your hands on the necessary key, no problem. They suspect a good photo (using a telephoto lens) of a key dangling from the guard’s keychain could do the trick, too.

And to make things worse, they suggested an internet key-sharing ecosystem might crop up, like BitTorrent or Pirate Bay, but for CAD models of keys that can then be printed. Maybe they could start with the master keys to New York City.

Your car’s electronic system, which controls everything

In 2011, a team of researchers published a paper explaining how someone could breach cars’ electronic control units (ECUs) using their cellular networks (e.g., OnStar), their Bluetooth connections and even Bluetooth-connected smartphones inside a car. At DEF CON, security experts Charlie Miller and Chris Valasek of IOActive Labs showed what’s possible when cars are breached by actually showing video of them doing it. (You can get their paper and all their code here.)

“If you guys need any work done,” Miller joked to the crowd, “we’re mechanics now.”

Someone who can figure out which packets sent across the central message bus relate to which commands — very hard work, and different for nearly every make and model — can do a lot. Send vehicle data back to a server, control the brakes, gas pedal, steering wheel, horn and locks. It’s not so crazy to think high-tech car thieves or even kidnappers would hang out in parking lots targeting fancy cars or VIPs, or that a ring of mechanics with direct access via diagnostic tools could compromise cars for later thievery.

Network-connected surveillance cameras that are used to secure premises are terribly unsecure and can be hacked to send systems administrators watching the feed whatever the hacker wants them to see. Security researcher Craig Heffner of Tactical Network Solutions demonstrated how he could replace the video feed of an area with a still shot of that same area (e.g., an empty hallway) or even access other stuff on the network.

Time to go Luddite?

Do we need to leave the city for a cabin in the mountains? Probably not just yet. The good news is that many of the specific companies whose products were hacked — including Samsung, Z-Wave and MiCasaVerde — have been gracious about the discovery of these flaws and are working to improve them. I have to assume wireless device manufacturers and carriers are working to improve the security of their products, too.

The other good news is that some of this stuff is still really hard to do. That guy who smashed your car window and took your iPod isn’t hacking your car anytime soon. And some stuff, like infiltrating smart-home networks, requires being close enough to intercept radio frequency signals between the various devices.

But should we trade in our Priuses for ’84 Ford Escorts nonetheless? Maybe. Toyota hasn’t been so quick to embrace what Miller and Valasek found out about the Prius, as Miller pointed out in this tweet:

So now Toyota is saying you can only do our attacks if you remove the dash board. This is absurd and very troubling Toyota would say this